Lucene search

IBM49386F47EADE0DE732D1E2EAE22745F6CAE3F555FC24C1D5930A01C94E1FF41D

HistoryFeb 22, 2024 - 4:31 p.m.

Security Bulletin: IBM Sterling B2B Integrator affected by multiple vulnerabilities due to snappy-java

2024-02-2216:31:41

www.ibm.com

ibm sterling b2b integrator

snappy-java

vulnerabilities

update

fixed versions

denial of service

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.8 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

39.5%

JSON

Summary

IBM Sterling B2B Integrator uses snappy-java. This bulletin identifies the steps to take to address the vulnerabilities.

Vulnerability Details

CVEID:CVE-2023-34455
**DESCRIPTION:**snappy-java is vulnerable to a denial of service, caused by the use of an unchecked chunk length in the hasNextChunk function. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/258190 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2023-34453
**DESCRIPTION:**snappy-java is vulnerable to a denial of service, caused by an integer overflow in the shuffle function. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/258186 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2023-34454
**DESCRIPTION:**snappy-java is vulnerable to a denial of service, caused by an integer overflow in the compress function. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/258188 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM Sterling B2B Integrator	6.0.0.0 - 6.0.3.8
IBM Sterling B2B Integrator	6.1.0.0 - 6.1.0.7, 6.1.1.0 - 6.1.2.3

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now.

Product	Version	APAR	Remediation & Fix
IBM Sterling B2B Integrator	6.0.0.0 - 6.0.3.8	IT44182	Apply 6.0.3.9
IBM Sterling B2B Integrator	6.1.0.0 - 6.1.0.7, 6.1.1.0 - 6.1.2.3	IT44182	Apply 6.1.0.8, 6.1.2.5 or 6.2.0.0

The IIM versions of 6.1.0.8, 6.0.3.9 and 6.1.2.5 are available on Fix Central. The IIM version of 6.2.0.0 is available on Passport Advantage

The container version of 6.1.2.5 and 6.2.0.0 are available in IBM Entitled Registry.

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmsterling_b2b_integratorMatch6.0.0.0

ibmsterling_b2b_integratorMatch6.2.0.0

CPENameOperatorVersion
ibm sterling b2b integratoreq6.0.0.0
ibm sterling b2b integratoreq6.2.0.0

CPE	Name	Operator	Version
	ibm sterling b2b integrator	eq	6.0.0.0
	ibm sterling b2b integrator	eq	6.2.0.0

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.8 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

39.5%

JSON

Related for 49386F47EADE0DE732D1E2EAE22745F6CAE3F555FC24C1D5930A01C94E1FF41D